2. About me
• Secretary RFID Platform Nederland
• Privacy specialist at ECP.NL
• Partner at Considerati
• Assistent professor at the University of Leiden
(faculty of law)
4. RFID Nederland
“Stimulating the uptake of RFID
technology and ensuring its
responsible use”
• Market initiative
• 50 participants
• www.rfidnederland.nl
• www.watisrfid.nl
5. Business drivers for RFID
Realtime insight into business processes increases:
•Efficiency
•Security
•Customer loyalty
10. Security risks
• Access to data on the chip (including possible keys)
• Access to associated databases
• Access to communication between tag and reader
• Attack vector for databases (e.g. viruses, SQL injects)
• Cloning (!!!!)
• Possibility to follow / track trace people
12. Privacy risks
• Due to its invisible nature RFID can be used to surreptisiously gather
personal data.
• Companies can use this information to profile and classify customers
• Companies can use this information to follow and track consumers
throughout their daily lives
• Companies can use invasive Minority Report style advertising
13. The role of privacy
• Information is power
• (Personal) data is used to profile and classify
consumers
• Privacy is a means to maintain ‘economic equality’
between companies and consumers
• Consumers (should) have a say in the processing of
their personal data
14. EU Privacy Law
• Data Protection Directive (95/46/EC)
• Telecom Privacy Directive (2002/58/EC)
15. EU Privacy Law
• Surreptitious gathering of personal data is a violation of the data
protection directive (95/46/EC).
• Using personal data for other purposes than for which they
have been gathered is a violation of the data protection
directive
• Surreptiously monitoring and following people is a criminal
offence (and where not, it should be).
• Targeted advertising without prior permission from consumers is
a violation of the data protection directive and the Telecom
Privacy Directive (2002/58/EC).
16. Example I: OV chipkaart
• Mifare Classic (subscriptions etc.) / Mifare Ultralight (day tickets)
• Hack Plotz & Nohl (reverse engineering -> skimming -> cloning)
• Hack Radboud I (Mifare Ultralight) (skimming -> cloning)
• Dutch Data Protection Authority warns GVB, NS
• Hack Radboud II (Mifare Classic) (cryptoanalysis -> skimming -> cloning)
• Press coverage differs from the facts
• NXP (wrongfully) bashed for providing insecure chip
• Security through obscurity worked for 13 years...
See also: https://ovchip.cs.ru.nl/Event_history
19. Incident driven response...
• Consumer backlash (boycott) against technology
• Motion to cancel the OV chipkaart
• EU Recommendation on RFID & Privacy:
- Mandatory privacy impact assesment
- Opt-in for retail environment
20. Observations
• Emphasis on technology instead of application
• Security issues and privacy issues are often confused
• Business reality can differ from security reality
- security through obscurity may make sense for a business
- cost/risk analysis is leading, not 100% security
• Solutions are currently viewed as either/or
(e.g. opt-in for retail)
• There is no integrated approach towards security and
privacy
21. The right tool for the job
• 100% security is not always the most optimal economic decision
• RFID should not be the only security measure
• Focus on the problem, not the technology
• What tool is most effective
22. Suggestions
• Clear(er) distinction between privacy and security
- strengthen overall system security
- create tools to enhance privacy (Privacy by design, PETs)
- create tools to effectuate legal safeguards (consumer in control)
• Security experts must educate businesses, consumers,
policymakers and politicians (in English please)
• Security, business processes, and legal safeguards must
strengthen each other
23. The way forward
Companies should:
• Use RFID in a responsible manner
• Provide benefits not only to themselves, but also to consumers
• Provide openness and transparency about the use of RFID
• Provide a truly free choice for consumers
Government should:
• Create tools for the protection of privacy (PETs, RFID guardians, logo
system)
• Place the consumer in control
• Monitor possible shifts in the balance of power, and correct where
necessary
Security experts and researchers should:
• Try to translate their work in proper English (e.g. Jip and Janneke)
• ...Keep up the good work
24. Bart Schermer
ECP.NL / RFID Platform Nederland
Overgoo 11
2260 AG Leidschendam
070-4190309
bart.schermer@ecp.nl
“RFID zal een grotere impact op onze
samenleving hebben dan Internet heeft gehad”
-- Prof. Cor Molenaar, voorzitter RFID Nederland
Questions?